sdinteractive / sd-serverdiagnostics

Server Connector For MageDiagnostics
1 stars 2 forks source link

Initial Server Diagnostics Implementation #1

Closed mpchadwick closed 8 years ago

mpchadwick commented 8 years ago
toddbc commented 8 years ago

There may also be some value in using rpm for versions on rpm-based systems like RHEL/CentOS.

rpm -q httpd24u || echo "Not there"

httpd24u-2.4.18-1.ius.el6.x86_64

rpm -q httpd || echo "Not there"

package httpd is not installed Not there

rpm --quiet -q httpd24u && echo --data-urlencode "apacheVersion=$(rpm -q httpd24u --queryformat '%{version}-%{release}')"

--data-urlencode apacheVersion=2.4.18-1.ius.el6

echo --data-urlencode "rpmVersions=$(rpm -qa --queryformat '%{name}-%{version}-%{release},')"

--data-urlencode rpmVersions=gpg-pubkey-0608b895-4bd22942,tzdata-2015g-2.el6,rpmforge-release-0.5.3-1.el6.rf,dmraid-1.0.0.rc16-11.el6........

mpchadwick commented 8 years ago

There may also be some value in using rpm for versions on rpm-based systems like RHEL/CentOS.

Hmm, doing a bit of research there's also dpkg-query for e.g. Ubuntu systems

$ vagrant@homestead:~$ dpkg-query -W -f='${Version}' nginx

1.9.11-0+trusty0

Can you make a strong argument for why it's better to go through a package manager, which can vary from OS to OS, than to execute the binary directly, which (hopefully) should not change regardless of OS?

toddbc commented 8 years ago

Yes. Because packagers have a nasty habit of backporting important fixes.

For example, OpenSSL 1.0.1t is the latest version of the 1.0.1 line of OpenSSL (ignoring 1.0.2+.) However, CentOS 6 servers all have OpenSSL 1.0.1e. Doesn't that mean we're missing important security patches, since 1.0.1t and etc. were all security releases?

Actually, no. The latest version of OpenSSL for CentOS 6 is 1.0.1e-42. If you were running 1.0.1e-30, for example, you might definitely be missing important security patches. But if you're on 1.0.1e-42, you're okay.

In either case, openssl version will just say 1.0.1e-fips. Packagers never bother to update versions in binaries so people can tell they are patched. You have to use the package system if you want to know if you are patched or not.

(packagers also have opinions, and may apply patches that mainline thinks are a bad idea or could break things - saying this from personal experience as mainline. Therefore "trusty" and "el6" could be different as well, and have bugs or security holes that are different from each other, depending on which packagers trusted mainline and which decided they knew more about the software than its developers do.)

mpchadwick commented 8 years ago

@toddbc You make very good points. Thank you. I'll update and resolve version information through the package managers (either dpkg or rpm).

mpchadwick commented 8 years ago

@toddbc updated based on your feedback

toddbc commented 8 years ago

Cool, looks good - just one note about Apache version detection.